Attivo Networks issued a report detailing severe vulnerabilities in the nation’s POS systems that could lead to large breaches during the Holiday shopping period and on into next year. The report, based on primary research, shows how attackers are moving laterally undetected through networks, compromising asset management servers and then using them to plant malware on POS terminals for either timed or remote activation, creating the foundation for wide-scale credit card information theft. Traditional security devices have proven to be ineffective in detecting an attacker’s lateral movement, in providing malware activation visibility between asset servers and POS terminals, and in accurately correlating attack forensic data, according to the report.

The lack of visibility into POS attacks provides an environment where attackers can operate with as much time as they need to find and compromise a key asset such as an Active Directory or patch management server that will expose the POS payment processing gateways. Once identified, the attacker deploys malware through the patch-management software and then compromises the payment processing application using a RAM scraper as a final payload of the attack to steal and upload card data. The report adds that once compromised it remains a constant challenge for organizations to have visibility into how widespread the attack may be and how to conclusively shut down these attacks.

It also points out that many of today’s POS devices are particularly vulnerable to malware since they run on older, unprotected Windows XP or even DOS based systems in which anti-virus is not available. Additionally, in some cases, the patch management systems run in a trusted mode and there may
not be anti-virus running at all. The report notes that having an endpoint security solution is not a fail safe way to prevent attacks because many of these attacks are targeted and originate from the endpoints using stolen credentials to breach the systems.

The report covers:

Details of the vulnerabilities and three cases of breach within large, regional and mid-sized retail organization

The anatomy and findings from these attacks

Recommendations for early attack visibility and detection

Accoding to Attivo Networks, this is the first time deception technology was used to provide visibility into a POS attack, as well as defeat it. Researchers introduced deception technology into POS networks and found that creating lures and decoys could successfully trick attackers into revealing themselves through initial and ongoing attack phases.

Based on this research, Attivo Networks predicts that in 2017 there will be a significant increase in reported POS attacks, largely due to the high probability that these systems have already been breached and attackers are already active throughout many networks today, undetected and unchecked.